Misdirection for a Price: Malicious Link-Shortening ServicesResearchers Discover 'Prolific Puma' Service Used by Hackers, Phishers and Scammers
No cybercriminal stands alone. Profit-driven hackers are abetted by a cybercrime ecosystem that supplies tools and services to plan, execute and profit from attacks.
One such underground service offers link shortening for criminals to facilitate phishing attacks and online scams and to deliver malware via drive-by attacks on browsers.
Security researchers gave the service the codename "Prolific Puma." They discovered it by identifying patterns in links being used by some scammers and phishers that appeared to trace to a common source. The service appears to be have active since at least 2020 and regularly is used to route victims to malicious domains, sometimes first via other link-shortening service URLs.
"Prolific Puma is not the only illicit link shortening service that we have discovered, but it is the largest and the most dynamic," said Renee Burton, senior director of threat intelligence for Infoblox, in a new report on the cybercrime service. "We have not found any legitimate content served through their shortener."
Infoblox, a Santa Clara, California-based IT automation and security company, published a list of 60 URLs it has tied to Prolific Puma's attacks. The URLS employ such domains as
Infoblox said many domains registered by the group are parked for several weeks while being used, since many reputation-based security defenses will treat freshly registered domains as more likely to be malicious.
How links shortened using Prolific Puma are delivered to victims isn't clear, Burton said. "We do not know how the original shortened URL is delivered to the victim; it may be through an SMS text message given that it opens a fake Gmail message," she said. "The domains used during the exploitation of the victim change and are themselves part of a large network."
In any given attack, criminals may use multiple shortened links - one redirecting to another - that eventually land on a phishing page, Infoblox reported. One example detailed by the researchers involved communications purporting to provide the ability to test a brand-new iPhone 15 Pro Max for free, leading to a malicious web page designed to push browser-based malware onto the user's system.
Where Prolific Puma is based also isn't clear, although researchers have found clues to group members' personalities and preoccupations, based on the data the group uses when it registers public-only domains. This includes an email address that references "October 33," a 2019 song by the American psychedelic soul band Black Pumas, who are based in Austin, Texas, researchers said. The group also often uses as the registrant's name "Leila Puma" - Leila is a girl's name of Arabic origin that means "night," - as well as a personal email account registered to a Ukrainian consumer hosting service, and a mailing address for a primary school in Poland.
Not all cybercriminals pay for link-shortening services. Many legitimate services can be abused for free, although results can vary.
Website reputation intelligence provider SURBL says that based on its data, these are the 10 most-abused free redirectors:
The widespread abuse of such services has led many organizations to block them outright, shunting emails that carry such links into the junk folder, or at least to excise such links from the body of messages.
In response, some criminals pay for malicious link-shortening services that promise to build short links that security and anti-spam tools can't detect.
Whether the same criminals who run the Prolific Puma link-shortening service also use it to launch attacks, or whether the service is provided on demand to third-party customers, remains an open question, Infoblox said.
Abused: US TLD
Prolific Puma's link-shortening service appears to excel at abusing the
.us top-level domain name, which is designed to be restricted for use by U.S. citizens and residents and organizations that are based in the country or have a legitimate presence. Instead, use of the TLD is "plagued by cybercrime," Burton said.
Since Oct. 4, Prolific Puma has "somehow subverted the transparency requirements for the usTLD and converted nearly 2,000 domains to private registrations," Infoblox reported.
All usTLD names are meant to be public, meaning that the name of the person who registered the domain name, as well as their email address, street address and phone number, are meant to be publicly accessible, Infoblox said.
Registrars who offer usTLD names, including NameSilo, enforce the prohibition on setting records to be private, meaning they're not publicly accessible via the Whois service for identifying who owns a domain or how to contact them.
Even so, Prolific Puma appears to have procured at least 1,062 domain names via NameSilo and set them to be private, Infoblox reported. That's despite the NameSilo domain registration interface not even offering an option for private settings. "At this time, we are not able to explain this behavior," Burton said.